Identity provider (IDP) agnostic authentication enforcement
Abstract
An intermediary server operates an application proxy. An access request is received for access to an application, where an access policy is associated with the application that specifies authentication method(s) acceptable for satisfying an authentication requirement enforced by the application proxy. The user agent is redirected to submit an authentication request to an identity provider for identity verification. An authentication response generated by the identity provider is received and includes information that specifies authentication method(s) used during the identity verification. If the authentication method(s) used during the identity verification match the authentication method(s) acceptable for satisfying the authentication requirement, the user will not be prompted to perform those authentication method(s) and the authentication requirement enforced by the application proxy is met. If they do not match, the user will be prompted to perform the authentication method(s) as a condition to access the application.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method, comprising:
receiving, at an intermediary server that operates an application proxy, a first access request from a first user agent, wherein the first access request is for access to a first application, wherein a first access policy associated with the first application specifies a first set of one or more authentication methods acceptable for satisfying a first authentication requirement enforced by the application proxy to access the first application; redirecting the first user agent to submit a first authentication request to a first identity provider for identity verification against a first user directory; receiving, from the first user agent, a first authentication response that was generated by the first identity provider that establishes that a first user has successfully authenticated to the first identity provider, wherein the first authentication response includes information that specifies a second set of one or more authentication methods used during the identity verification against the first user directory, and wherein the first authentication requirement is enforced independently of any second authentication requirement at the first identity provider; determining that the second set of one or more authentication methods matches to the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement enforced by the application proxy, and responsive to this determination, not prompting the first user to perform any of the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement; allowing the first user agent to access the first application; receiving, at the intermediary server that operates the application proxy, a second access request from a second user agent, wherein the second access request is for access to a second application, wherein a second access policy associated with the second application specifies a third set of one or more authentication methods acceptable for satisfying a third authentication requirement enforced by the application proxy to access the second application; redirecting the second user agent to submit a second authentication request to a second identity provider for identity verification against a second user directory; receiving, from the second user agent, a second authentication response that was generated by the second identity provider that establishes that a second user has successfully authenticated to the second identity provider, wherein the second authentication response includes information that specifies a fourth set of one or more authentication methods used during the identity verification against the second user directory, and wherein the third authentication requirement is enforced independently of any fourth authentication requirement at the second identity provider; determining that the fourth set of one or more authentication methods does not match to the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement enforced by the application proxy, and responsive to this determination, causing an authentication challenge to be transmitted to the second user agent for the second user to perform one of the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement; receiving an authentication challenge response from the second user agent; verifying the authentication challenge response; and allowing the second user agent to access the second application.
2 . The method of claim 1 , wherein prior to allowing the first user agent to access the first application,
setting one or more tokens that indicate that the first user has successfully authenticated and is authorized to access the first application including satisfying the first authentication requirement; redirecting the first user agent to re-submit the first access request with the set of one or more tokens; receiving the first access request with the set of tokens; and verifying the set of tokens.
3 . The method of claim 1 , wherein the first set of one or more authentication methods include one or more authentication methods that require something the first user has and/or something the first user is.
4 . The method of claim 3 , wherein the one or more authentication methods that require something the first user has includes one or more of: an email-based one-time password (OTP), a text-based OTP, an authenticator application time-based one-time password, and a hardware token OTP.
5 . The method of claim 1 , wherein the information that specifies the second set of one or more authentication methods used during the identity verification against the second user directory is within an authentication methods reference (amr) claim of the first authentication response.
6 . The method of claim 1 , further comprising:
receiving, at the intermediary server that operates the application proxy, a third access request from a third user agent, wherein the third access request is for access to a third application, wherein a third access policy associated with the third application specifies a fifth set of one or more authentication methods acceptable for satisfying a fifth authentication requirement enforced by the application proxy to access the third application; redirecting the third user agent to submit a third authentication request to a third identity provider for identity verification against a third user directory; receiving, from the third user agent, a third authentication response that was generated by the third identity provider that establishes that a third user has successfully authenticated to the third identity provider, wherein the third authentication response includes information that specifies a sixth set of one or more authentication methods used during the identity verification against the third user directory, and wherein the fifth authentication requirement is enforced independently of any sixth authentication requirement at the third identity provider; and determining that the third user has not enrolled in the specified fifth set of one or more authentication methods, and responsive to this determination, prompting the third user to enroll in one or more of the specified fifth set of one or more authentication methods.
7 . The method of claim 1 , wherein the application proxy generates the first authentication request and the second authentication request for transmission to the first identity provider and the second identity provider, respectively.
8 . A non-transitory computer-readable storage medium that, when executed by a processing system of an intermediary server, causes said intermediary server to perform operations, comprising:
receiving, at the intermediary server that operates an application proxy, a first access request from a first user agent, wherein the first access request is for access to a first application, wherein a first access policy associated with the first application specifies a first set of one or more authentication methods acceptable for satisfying a first authentication requirement enforced by the application proxy to access the first application; redirecting the first user agent to submit a first authentication request to a first identity provider for identity verification against a first user directory; receiving, from the first user agent, a first authentication response that was generated by the first identity provider that establishes that a first user has successfully authenticated to the first identity provider, wherein the first authentication response includes information that specifies a second set of one or more authentication methods used during the identity verification against the first user directory, and wherein the first authentication requirement is enforced independently of any second authentication requirement at the first identity provider; determining that the second set of one or more authentication methods matches to the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement enforced by the application proxy, and responsive to this determination, not prompting the first user to perform any of the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement; allowing the first user agent to access the first application; receiving, at the intermediary server that operates the application proxy, a second access request from a second user agent, wherein the second access request is for access to a second application, wherein a second access policy associated with the second application specifies a third set of one or more authentication methods acceptable for satisfying a third authentication requirement enforced by the application proxy to access the second application; redirecting the second user agent to submit a second authentication request to a second identity provider for identity verification against a second user directory; receiving, from the second user agent, a second authentication response that was generated by the second identity provider that establishes that a second user has successfully authenticated to the second identity provider, wherein the second authentication response includes information that specifies a fourth set of one or more authentication methods used during the identity verification against the second user directory, and wherein the third authentication requirement is enforced independently of any fourth authentication requirement at the second identity provider; determining that the fourth set of one or more authentication methods does not match to the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement enforced by the application proxy, and responsive to this determination, causing an authentication challenge to be transmitted to the second user agent for the second user to perform one of the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement; receiving an authentication challenge response from the second user agent; verifying the authentication challenge response; and allowing the second user agent to access the second application.
9 . The non-transitory computer-readable storage medium of claim 8 , wherein prior to allowing the first user agent to access the first application,
setting one or more tokens that indicate that the first user has successfully authenticated and is authorized to access the first application including satisfying the first authentication requirement; redirecting the first user agent to re-submit the first access request with the set of one or more tokens; receiving the first access request with the set of tokens; and verifying the set of tokens.
10 . The non-transitory computer-readable storage medium of claim 8 , wherein the first set of one or more authentication methods include one or more authentication methods that require something the first user has and/or something the first user is.
11 . The non-transitory computer-readable storage medium of claim 10 , wherein the one or more authentication methods that require something the first user has includes one or more of: an email-based one-time password (OTP), a text-based OTP, an authenticator application time-based one-time password, and a hardware token OTP.
12 . The non-transitory computer-readable storage medium of claim 8 , wherein the information that specifies the second set of one or more authentication methods used during the identity verification against the second user directory is within an authentication methods reference (amr) claim of the first authentication response.
13 . The non-transitory computer-readable storage medium of claim 8 , wherein the operations further comprise:
receiving, at the intermediary server that operates the application proxy, a third access request from a third user agent, wherein the third access request is for access to a third application, wherein a third access policy associated with the third application specifies a fifth set of one or more authentication methods acceptable for satisfying a fifth authentication requirement enforced by the application proxy to access the third application; redirecting the third user agent to submit a third authentication request to a third identity provider for identity verification against a third user directory; receiving, from the third user agent, a third authentication response that was generated by the third identity provider that establishes that a third user has successfully authenticated to the third identity provider, wherein the third authentication response includes information that specifies a sixth set of one or more authentication methods used during the identity verification against the third user directory, and wherein the fifth authentication requirement is enforced independently of any sixth authentication requirement at the third identity provider; and determining that the third user has not enrolled in the specified fifth set of one or more authentication methods, and responsive to this determination, prompting the third user to enroll in one or more of the specified fifth set of one or more authentication methods.
14 . The non-transitory computer-readable storage medium of claim 8 , wherein the application proxy generates the first authentication request and the second authentication request for transmission to the first identity provider and the second identity provider, respectively.
15 . An intermediary server, comprising:
a processing system; and a non-transitory machine-readable storage medium coupled to the processing system, wherein the non-transitory machine-readable storage medium stores instructions that, when executed by the processing system, causes the intermediary server to perform operations including:
receiving, at the intermediary server that operates an application proxy, a first access request from a first user agent, wherein the first access request is for access to a first application, wherein a first access policy associated with the first application specifies a first set of one or more authentication methods acceptable for satisfying a first authentication requirement enforced by the application proxy to access the first application,
redirecting the first user agent to submit a first authentication request to a first identity provider for identity verification against a first user directory,
receiving, from the first user agent, a first authentication response that was generated by the first identity provider that establishes that a first user has successfully authenticated to the first identity provider, wherein the first authentication response includes information that specifies a second set of one or more authentication methods used during the identity verification against the first user directory, and wherein the first authentication requirement is enforced independently of any second authentication requirement at the first identity provider,
determining that the second set of one or more authentication methods matches to the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement enforced by the application proxy, and responsive to this determination, not prompting the first user to perform any of the specified first set of one or more authentication methods acceptable for satisfying the first authentication requirement,
allowing the first user agent to access the first application,
receiving, at the intermediary server that operates the application proxy, a second access request from a second user agent, wherein the second access request is for access to a second application, wherein a second access policy associated with the second application specifies a third set of one or more authentication methods acceptable for satisfying a third authentication requirement enforced by the application proxy to access the second application,
redirecting the second user agent to submit a second authentication request to a second identity provider for identity verification against a second user directory,
receiving, from the second user agent, a second authentication response that was generated by the second identity provider that establishes that a second user has successfully authenticated to the second identity provider, wherein the second authentication response includes information that specifies a fourth set of one or more authentication methods used during the identity verification against the second user directory, and wherein the third authentication requirement is enforced independently of any fourth authentication requirement at the second identity provider,
determining that the fourth set of one or more authentication methods does not match to the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement enforced by the application proxy, and responsive to this determination, causing an authentication challenge to be transmitted to the second user agent for the second user to perform one of the specified third set of one or more authentication methods acceptable for satisfying the third authentication requirement,
receiving an authentication challenge response from the second user agent,
verifying the authentication challenge response, and
allowing the second user agent to access the second application.
16 . The intermediary server of claim 15 , wherein prior to allowing the first user agent to access the first application,
setting one or more tokens that indicate that the first user has successfully authenticated and is authorized to access the first application including satisfying the first authentication requirement; redirecting the first user agent to re-submit the first access request with the set of one or more tokens; receiving the first access request with the set of tokens; and verifying the set of tokens.
17 . The intermediary server of claim 15 , wherein the first set of one or more authentication methods include one or more authentication methods that require something the first user has and/or something the first user is.
18 . The intermediary server of claim 17 , wherein the one or more authentication methods that require something the first user has includes one or more of: an email-based one-time password (OTP), a text-based OTP, an authenticator application time-based one-time password, and a hardware token OTP.
19 . The intermediary server of claim 15 , wherein the information that specifies the second set of one or more authentication methods used during the identity verification against the second user directory is within an authentication methods reference (amr) claim of the first authentication response.
20 . The intermediary server of claim 15 , wherein the operations further comprise:
receiving, at the intermediary server that operates the application proxy, a third access request from a third user agent, wherein the third access request is for access to a third application, wherein a third access policy associated with the third application specifies a fifth set of one or more authentication methods acceptable for satisfying a fifth authentication requirement enforced by the application proxy to access the third application; redirecting the third user agent to submit a third authentication request to a third identity provider for identity verification against a third user directory; receiving, from the third user agent, a third authentication response that was generated by the third identity provider that establishes that a third user has successfully authenticated to the third identity provider, wherein the third authentication response includes information that specifies a sixth set of one or more authentication methods used during the identity verification against the third user directory, and wherein the fifth authentication requirement is enforced independently of any sixth authentication requirement at the third identity provider; and determining that the third user has not enrolled in the specified fifth set of one or more authentication methods, and responsive to this determination, prompting the third user to enroll in one or more of the specified fifth set of one or more authentication methods.
21 . The intermediary server of claim 15 , wherein the application proxy generates the first authentication request and the second authentication request for transmission to the first identity provider and the second identity provider, respectively.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.